Running Hard to Stay in Place

by Peter Kelley, Owner, Kelley Group Two

The fifth annual extensive study on third party risk, “Running Hard to Stay in Place,” released by Shared Assessments and Protiviti, is broken down by industry sectors and program maturity criteria. This year’s study has some very interesting findings:

– Awareness of third party risks by organization’s Board of Directors is a strong indicator of vendor risk management (VRM) program maturity: 57 percent of organizations reporting high levels of board engagement also reported mature and advanced vendor risk management programs.

– The tech sector leads in board engagement, followed by the manufacturing and healthcare sectors.

– There were no sectors in which more than 50 percent of respondents reported mature vendor risk management programs. Four in ten organizations had fully mature VRM programs, but almost a third had ad hoc or no program in place.

– Every sector reports progress over the last year in identifying, assessing and managing their critical third party vendors, with 41 percent reporting mature processes in place. Only 7 percent of respondents have not begun identifying and separately managing critical vendors.

– Sixty-seven percent more organizations reported serious disruption from a cyber-attack or hacking incident vs. the previous year. The percentage of organizations fixing such issues within one month dropped by 17 percent.

Last year, only 28 percent of respondents reported that such fixes took three months to a year.

This year, 37 percent of respondents reported that fixing such issues required three months to a year.

More than not (55 percent), organizations are extremely or somewhat likely to move away from high risk relationships.

Survey results show that vendor risk management (VRM) programs in the technology and insurance/healthcare payer sectors have achieved the greatest levels of program maturity overall; however, no sector reported more than 50 percent of respondents at a mature level with regard to managing vendor risk. The technology and insurance sectors also led in fourth-party VRM, confirming companies in these sectors, on average, most carefully assess the risk postures of their vendors’ full ecosystem, including subcontractor relationships.

“Technology has evolved traditional vendor site visits and shifts to cloud and shared services quickened the pace of change,” said Linnea Solem, CEO and Founder of Solem Risk Partners, LLC, and member of the Shared Assessments Advisory Board. “Virtual Assessments enable rigorous evaluations following standardized control and test procedures to provide testing assurance with evidence in a way that is efficient for both service providers and outsourcers.”

The survey polled 554 risk management practitioners and C-suite executives on the detailed criteria in the Shared Assessment Vendor Risk Management Maturity Model (VRMMM), an industry standard framework for evaluating the maturity of vendor risk programs, including cybersecurity, IT, privacy, data security and business resiliency controls. Broken into eight categories, the model explores 211 program elements that should form the basis of a robust, well-run VRM program.

“While third-party monitoring is improving, serious risks continue due to location factors such as political unrest, weather, law changes and legislation,” said John Bree, SVP and Partner, NEO Group, and member of Shared Assessments Steering Committee. “The World Economic Forum identified Location Risk as a top concern, and market analysis concludes that real-time, continuous location monitoring is a critical component of any third-party risk program.”

The 2019 survey added 81 new practice measures or criteria, in line with the 2019 VRMMM, including those focusing on continuous monitoring, the risk assessment of fourth-party vendor relationships and privacy, thus reflecting the expanding threat landscape and global regulatory compliance demands.

“This comprehensive study codifies what recent news events have shown: the threat landscape is morphing almost daily, with nation state threats, advanced cyberattacks, new forms of activism, potential liability shifts and other factors bringing new importance to vendor risk management practices and programs,” said Shared Assessments Chairman and President Catherine A. Allen. “This benchmark study and the member-driven Shared Assessments Program’s vendor risk management tools, best practices, certifications and shared knowledge form the intelligence ecosystem for vendor risk management that’s relied upon by leading consulting organizations and risk management practitioners around the world.”

The 2019 “Vendor Risk Management Benchmark Study: Running Hard to Stay in Place” report is available complimentary on the Shared Assessments site and on the Protiviti site, along with an infographic of survey highlights and a podcast. A free one-hour webcast featuring Paul Kooney and Gary Roboff, senior advisor, The Santa Fe Group, Shared Assessments Program, discussing the survey findings and sharing practical ways to improve vendor risk, will be held on May 1 at 11:00 a.m. PDT. Please click here to register.

View Infographic Below!